Identification system safeguarded against misuse

ABSTRACT

An identification card with interior circuits, including memory means, for use in a credit or identification system, into which the user enters a &#34;secret&#34; number and then the input gate to that part of the memory means is destroyed for security purposes.

FIELD AND BACKGROUND OF THE INVENTION

This invention relates to a security system which protects againstmisuse and counterfeiting associated with banking transactions inparticular, such as manual or automatic dispensing of money, by usingidentificands, such as credit cards, check cards, machine-read cards andthe like, which bear identification and card use data which can be readvisually and by machine, and by utilizing an individual distinguishingdevice, such as a personal identification number (PIN), to check whetherthe user is entitled to use the identificand.

As the system of the invention is not limited to the use of a card, butcan also employ a key, a coded token, or the like, the generic term"identificand" consequently is used hereinafter for the element usablewith the system, and includes either a card of the mentioned type, acoded token, or a key, or the like.

In systems of this general type, the intention is to protect theidentificand from misuse and counterfeiting, and such systems have beenthe subject of many previous proposals, patented and otherwise. Thus,some known systems of cash dispensing may use, for example, the accountnumber as an identification and, for protection, a personal referencenumber or personal identification number which correlates with theaccount number. The user has to insert his card into a verifying means,such as a machine, and "key in" his personal reference number (PIN) inorder to prove or check his right to use the identificand. Obviously, insuch a case, evidence of tampering cannot be checked, so that it is easyfor a potential criminal to counterfeit cards if he is able to decipherthe correlation between the account number and the identificationnumber. Deciphering is made easier by the fact that, in all knownmachine cards, the personal identification number (PIN) entered on theidentificand can be easily determined either visually or by machinereading, regardless of whether it is encoded or printed.

Moreover, the identificands carry still other data which might be ofinterest to a criminal, namely, use data. Use data includes theexpiration time or date, the amount of money available to the rightfulowner of the identificand, such as a card, and the conditions of use ofthe identificand. Not only the rightful owner of the card, but also apotential criminal, can easily change, to his or her advantage, this usedata, especially if the use data is recorded on a magnetic strip, knownto the art as "magstrip", on the card, such magstrips beingcharacteristic of machine-read cards only.

While the state of this art is contained in volumes of technicalliterature, it is sufficient to mention, in particular, GermanOffenlegungsschrift No. 1,945,777, U.S. Pat. Nos. 3,891,830, 3,868,057,3,934,122, and 3,702,464, and also British Patent No. 1,197,183. All themachine-read cards covered by the prior art technical literature,however, have the disadvantage that the personal identification number(PIN), even if not always easily deciphered, can be determined, andfurthermore, the machine-read cards can also be misused by the rightfulowner by changing the use data. In other words, the informationcontained in these cards is externally accessible to either the rightfulowner or to a potential criminal.

SUMMARY OF THE INVENTION

Accordingly, the objective of the invention is to provide a securitysystem safeguarded against misuse and counterfeiting, especially in theprocessing of banking transactions, where the known disadvantages,mentioned above, are eliminated. It is a further objective of theinvention to permit the identificand to be used for both machine-readand conventional applications.

In accordance with the foregoing, the basic or underlying concept of thepresent invention is that all or part of the information to be stored inthe identificand, and which is to be protected against misuse orcounterfeiting, is fed into memories which can be loaded only one timeand permanently and, in addition, the fed-in information cannot bedetermined from outside the identificand or, in other words, is notaccessible externally. In order to be able to utilize theseidentificands, the identificands further include internal memories andmeans to compare data, transmitted from the exterior, with the storeddata, and which are readable only within the identificand, for example,for the purpose of checking identity and right of use or entitlement. Inidentificands embodying the invention and for use with machines, thereare included, in the identificand, further memories and circuitryelements which make possible communication with the machine, forexample, through input/output devices for connection to the machineeither electrically, magnetically, or otherwise.

It is known from the prior art that memories have been developed inwhich only one entry can be made and from which nothing can be erased.However, such memories can and must be readable from outside (see U.S.Pat. No. 3,702,464 covering a ROS MEMORY). With the present invention,the system and the data protected in the identificand cannot bedetermined from the exterior and so the system does not require furthersecrecy measures. With the present invention, the potential criminal, orthe rightful user attempting to misuse the identificand, may know allthe specifics, but still will not be able to misuse the identificand orto break into the system with success.

As the invention requires a number of memories and control circuits, itis practical to combine all of these elements into one integratedcircuit (IC) or "chip" incorporated in the identificand. Such integratedcircuits, moreover, increase protection against tampering with theidentificands themselves since, without considerable difficulty andexpense, a criminal would hardly be able to determine the layout of anIC and copy it.

As a further security measure, the invention assures that, when theidentificand is first initialized, for example, by assigning a "neutral"identificand to a client through entering the account number and apersonal identification designation, such as a personal identificationnumber (PIN), no misuse is possible. Prior to this, during manufacture,a protective code is entered into the identificand, and this code can beread only under certain conditions, and only once. Additionally, as anessential feature, the client is free to select his own personalidentification number (PIN), and this number can then be completelyindependent of other data in the identificand.

The system of the invention has many advantages over current systems andcurrent cards. Thus, the system of the invention permits conventional aswell as machine-read cards to be used. Furthermore, misuse of thesystem, by modifying or changing the use data, is as impossible by therightful owner of the card as by an unauthorized person. As the userhimself is free to determine his own personal identification number(PIN), there is no need for additional safeguards in the system in orderto maintain assigned code numbers secret. Furthermore, an identificationcard of the system of the present invention can be used with checkingfacilities used with existing credit cards as well as being used withdetection or authenticity checking apparatus developed by the presentinventor.

In checking the identificand, there are three things to be checked:

(1) whether the user is identical with the rightful owner of the card;

(2) whether the account number has been altered in any respect; and

(3) whether or not the card is an authorized card.

This third check results inherently from the first and second checks.The three checks can be made with a device which is about the size,weight and cost of an ordinary pocket-type electronic calculator, suchas presently in widespread use.

An object of the invention is to provide an improved security systemprotecting, against misuse and counterfeiting associated with bankingtransactions in particular.

Another object of the invention is to provide such a security systemeliminating the known disadvantages of known security systems.

A further object of the invention is to provide such a security systemin which the identificand can be used for both machine-read andconventional applications.

For an understanding of the principles of the invention, reference ismade to the following description of typical embodiments thereof asillustrated in the accompanying drawings.

BRIEF DESCRIPTION OF THE DRAWINGS

In the Drawings:

FIG. 1 is a somewhat diagrammatic plan view of an identificand, usedwith the system of the invention, in the form of a card or the like;

FIG. 2 is a block diagram of the integrated circuit (IC) of theidentificand shown in FIG. 1;

FIG. 3 is a block diagram of the IC shown in FIG. 1 expanded to includefurther integrated circuitry;

FIGS. 4 and 5 are perspective views of simple checking devices orverifiers usable with the identificand of the invention system;

FIG. 6 is a flow chart of the checking of identificands;

FIG. 7 is a block diagram of an identificand forming part of the systemof the present invention and a machine, in which the identificand isinserted, and also embodying the present invention; and

FIG. 8 is a flow chart of the machine checking process, related to FIG.7.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS

Referring first to FIG. 1, this figure shows an identificand 1 designedto be a credit card or Eurocheque card. The identificand 1 carries, inthe area 2, the name of the owner, in the area 3, printed identificationor account numbers, in the area 4, a photo of the owner, and, in thearea 5, the signature of the owner. The area 3 is planned for a shorterside of the card so that the account number remains readable when thecard is introduced into a verifier or checking device.

In addition, the card 1 comprises an integrated circuit (IC) in area 6and, in area 7, internal connectors for the power supply, as well as fordata input and output. The integrated circuit or IC is invisiblyimplanted in the card, as by being enclosed between outer layers ofplastic or the like, such construction of cards with an innerinformation-carrying layer and outer closing layers of plastic or thelike being well-known to those skilled in the art.

A certain area surrounding the IC, indicated at 8, is maintained free ofconductive material so that, when the card is introduced into a machineverifier, checks can be made as to whether or not there are connectionsto the circuitry of the card from a simulated circuit outside themachine. As the total counterfeiting of a card with an identical ICcannot be regarded as feasible, in view of the high financialinvestment, known-how requirements and risk conditions, this step servesto prevent a potential criminal, even if he knows the manner in whichthe IC operates, from constructing a substitute circuit from discretecomponents and connecting such substitute circuit, for example, withwires, to a card which, in this instance, works as an adapter. Themachine furthermore checks whether connections of other kinds have beenmade across the area 8 or the like surrounding the integrated circuit orIC.

FIG. 2 is a block diagram of the IC 6, and all the individual partsillustrated in FIG. 2 are actually integrated into one monolithiccircuit, such as the well-known "chip". The power supply and the datainput and output are fed through connectors 9, which may be eithergalvanic-type connectors or inductive-type connectors. If the feed isinductive, the connectors 9 are supplemented by the necessaryconverters.

The integrated circuit, or IC, comprises the processing unit (PU) 10,which is a special microprocessor, which is controlled by apredetermined program stored in program memory 11. The PU 10 and theprogram memory 11 may, in a modification, be hard wired logic within theintegrated circuit.

The power is fed through integrated power supply 12, in which theoutside power is converted into electrical values necessary foroperation of PU 10. A consistently high outside power supply isessential for the programming unit 19 of the IC to be able to programthe memories 13 through 17. For this reason, a check is made, in powersupply unit 12, as to whether the power supply is high enough toactivate PU 10 consistently, and whether such power supply is indeedsufficient to destroy the IC in the case of cards which have beenprogrammed to self-destruct when misused. When the power supply is toolow, the IC will not operate.

The self-destruct device in the IC can, for example, be implemented byswitching changes in the programming of gate 24. Normally, this gateremains open, and the use data can be read from memory 16. If, duringthe process of identification checking, it becomes necessary to bar useof the identificand, gate 24 will be closed automatically so that usedata can no longer be read. PU 10 will, for example, operate only whenuse data can be read.

The self-destruct effect can be triggered by the card itself through acorresponding control of the program memory 11, as well as through atriggering signal from the exterior. In machine-read cards, such atriggering signal can be generated by the machine when additional checksin the machine demand such destruction.

All data input and output occurs through the input/output unit or device18. PU 10 is programmed to perform all of the functions described above.When the supply voltage is applied from the outside, the microprocessorof PU 10 starts running automatically and checks, as a first step,whether the supply voltage is high enough.

After this, PU 10 performs further functions through data input, andwhich will be described later. After checking the personalidentification number (PIN) and other information, the output of returnsignals is supplied through input/output unit or device 18.

All the parts of the IC described above are integrated in one piece or"chip" during manufacture. The required memory units 13 through 17 arePROMs (Programmable Read Only Memories) and, during manufacture, can beintegrated into the IC either as a whole or in parts, or can bepreformed as separate ICs.

These PROMs are fed various data at different times in the stepsdescribed hereinafter, to create a personalized identification card froma "neutral" one. The memories 13 through 17 are treated in various ways.Some can be programmed only through gates 20 through 24. Theseprogramming-block circuits can be activated so that no later changes tothe contents of these memories can be made. The memories differindividually as to their readability, for example, only certainpredetermined memories can be read from the outside of the card andothers cannot be read from outside the card. When, why and which partsare programmable or readable is explained hereinafter.

As already stated, the memory part of the integrated circuit or ICcomprises the memories 13 through 17. Memory 13 contains the protectivecode safeguarding the card on its way between the factory and the placeof issuance, and is programmable only as long as gate 20 is open and canbe read only internally, through gate 21.

Memory 14 stores the personal reference number (PIN), which can beentered only when gate 22 is open. This number cannot be read from thecard, but can be made available in PU 10 for comparison purposes.

Memory 15 stores data for the identification of the respective card orthe account owner. Into memory 15, there is fed the account number, orother information, including alpha-numerical information, for theidentification of the account number. It is only after such programmingthat the identificand is correlated to the individual client. This partof the memory is programmable only when gate 23 is open and, afterprogramming, gate 23 is destroyed or made inoperable. Despite this,memory 15 remains readable to PU 10.

Memory 16 stores use data, such as the length of the time period, thelimit of the period, and per diem limits. This data can be enteredthrough gate 24 only at the time the card is issued, for example, atinitializing of the card.

Into memory 17, there is stored, for each use data, such as calendardate, number of mistrials allowed for input of the personal referencenumber or PIN, account transactions, etc.

The entire procedure of initializing and using the card will now bedescribed, using, as an example, a monetary application.

The last step in manufacture of the card is to enter, into memory 13, aprotective code in the form of a numeral, created in a random generator.At the same time, this protective code is printed on a separate slip.After the protective code input, gate 20 is destroyed so that a changeof the protective code, or entering of another digit into memory 13, isno longer possible. The printed slip is secretly and automaticallysealed into an envelope. The cards and envelopes are stored and handledseparately. Up to this point, the cards are still "neutral". Uponissuance of a card to a customer, the "neutral" card is "married" to theenvelope bearing the same serial number on the outside. Then theenvelope is opened, preferably by the customer himself, and the visuallyreadable protective code is learned.

The card is then introduced into the coding device or encoder at theplace of issuance, so that the data specific to the customer can beentered. To effect this, the customer first enters the protective codenumber, through the input/output unit or device 18, into PU 10, where acomparison is made with the protective code stored in memory 13. If theresult is negative, then, after a predetermined number of negativetrials, self-destruction of the IC is triggered. If the result ispositive, then the IC 6 transmits a "go" signal to the encoder so thatthe other data can be entered.

Initially, the client or customer secretly enters the personal referencenumber or PIN which he himself has chosen, and which is then againtransferred to PU 10 and from there is stored in memory 14 through gate22. After such storing, gate 22 is automatically destroyed so that thePIN cannot be changed.

Following this, the data to be used for the identification of the clientor customer is fed into the IC. Thus, the account number of the clientis fed into memory 15 through gate 23, after which gate 23 isautomatically destroyed so that this data cannot be changed.

The conditions of use are fed into memory 16 through gate 24, and gate24 is thereafter automatically destroyed. As a last step, the accountstart-up status can be fed into memory 17. After storage of this lastdata, output gate 21 of memory 13 is destroyed so that the card cannotbe initialized a second time with the protective code, since a check ofsuch protective code is no longer possible. The card is now ready tohand over to the client or customer.

If, after expiration, a card is to be revalidated by beingreinitialized, further protective codes are available which will betreated in a like manner. Thus, memory 13, together with gates 20 and21, is provided several times, or is multiplicated. When the time limitfor a card has expired, or the amount of money or credit has been usedup, the client goes to his bank with the card. The bank may hold, inaddition to the first envelope, more sealed envelopes correlated to thecustomer's card, and which contain a second, third, etc., protectivecode. This arrangement is shown in FIG. 3.

The card is now, as already described in connection with the firstprotective code, initialized again after the input of the secondprotective code. At such second initializing, gate 26 is destroyed sothat no further data can be entered in the first transaction memory 17.

Now, gate 30 is opened by special programming so that transactions canbe entered into "Account 2", memory 29 through gate 30. Gates 27 and 28correspond, in their functions, to gates 20 and 21, and the protectivecode-memory 41 corresponds to the protective code-memory 13. The secondand all further protective code memories are programmed, during the laststep of manufacture, with protective code 2, code 3, etc. This extensionof further protective codes and further account memories allows for alonger life and more economical utilization of the electronic parts ofthe card.

To use the card, it is introduced into the reader, verifier or machine,where the supply voltage is initially checked as to needed value,particularly as to the possibility of self-destruction of the IC, ifthis is required.

Verification of the user as to his ownership/user identity is effectedthrough input of the personal reference number or PIN and comparisonthereof with the PIN stored in PU 10. The PIN thus cannot be read fromoutside. If the feedback is positive, the account number can be checkednext, whereby, at the nth mistrial, the IC is automatically destroyed.In addition, the number of mistrials is entered on the card.

With conventional cards, the account number is printed on the face ofthe card so that it can be read and then fed into the checking device.However, with the present invention, the checking of the account numbertakes place in the IC of the card itself. In this check, with thepresent invention, at the nth mistrial, an alarm is triggered since onehas to assume that the account number printed on the card has beenchanged to effect, for example, a debit to a different account. Hereagain, the number of mistrials will be recorded.

In addition to, and/or in combination with, the aforementioned checks,further verification measures are taken, which require an arrangement ofthe function and/or memory circuits, and which cannot be carried out byconventional integrated circuits, that is, which have not been designedfor this particular purpose. This prevents criminals from simulating a"go" signal by using conventional ICs in a counterfeit card withoutgoing through the above-mentioned additional checks.

After completion of all of these checks, the operation itself can bestarted, for example, dispensing of money. If the desired transaction isnot allowed because the credit limit would be exceeded, that is, thattoo much money has been requested, the customer will automaticallyreceive appropriate messages. The check as to whether a transaction isallowed or not is effected in PU 10. If the account number on the cardis also to be readable by the verifying machine, program memory 11 hasto contain a corresponding program.

The recording of transactions is effected in memory 17, by accumulatingall transactions in succession, so that a reading can be taken at anytime. Since the old transaction balances cannot be erased when newentries are made, the entire listing of the account is available. Thus,account statements can be prepared.

The invention is neither limited to banking transactions nor limited tothe utilization of identificands in the form of cards. Thus, through theinvention system, for example, entry into restricted areas can beprotected by admitting only predetermined persons who bear genuine,valid and unfalsified identificands, thereby, proving themselves therightful owners of these identificands.

Furthermore, the identificands can be utilized to permit physical accessto installations only by entitled persons, or to give certain personnelauthorized access to information (data) for storage or retrievalpurposes.

A special advantage is that, since use data is stored in an unalterableway, users are given prescribed boundaries to enable the system to beused in any potential "off-line" applications.

FIGS. 4 and 5 illustrate two examples of a simple checking device forverifying identificands using the system of the present invention, andwhich identificands work in the same manner as Eurocheque cards orcredit cards. These simplified checking devices, shown in FIGS. 4 and 5,check the identity of the user/owner and determine whether the accountnuumber, printed on the outside, has been modified or not. The devicesgenerally check the legitimacy of the card which, by implication, checkwhether or not the necessary IC is installed therein.

The two illustrated devices differ only in the display 31 of the deviceshown in FIG. 4 and which, by comparing the identification/accountnumbers, displays the number read automatically from the card so that itcan be checked visually against the account number 3 printed on anexposed portion of the card 1. In the example shown in FIG. 5, there isno display 31 of the account number.

The checking operation, which compares the number printed on the outsideof the card 1, and which, in this case, is manually entered on keyboard32 by the clerk, is effected internally in the card through IC 6.Depending on the result of the comparison, IC 6 transmits a signal tothe checking device, such as a verifier or reader, indicating "go" or"correct" in position 33, or "alarm" or "incorrect" in position 34.

The signals in positions 33 and 34 serve, in the same way, to comparethe personal reference number or PIN. Switch 35 puts the device intooperation, while erase key 36 terminates check entries or wrong inputs.

In the simple identificand check which is possible with the verifyingmeans shown in FIGS. 4 and 5, the IC could be made to self-destructafter a predetermined number of mistrials in the input of the personalidentification number (PIN) or the identification/account number. Theelectrical power required for such a self-destruct mechanism isavailable in the checking device or verifying means.

With reference to the verifying devices shown in FIGS. 4 and 5, FIG. 6is a self-explanatory flow chart illustrating the checking ofidentificands as applied in the case of conventional credit orEurocheque cards, or other non-machine uses. Thus, the identificand isintrouduced into the checking device or verifying means and the PIN isentered in the checking device. A signal from the identificand IC thenindicates whether the PIN is correct or not. If incorrect, an alarm isprovided. If correct, a "go" signal is provided.

The account or identification number, entered into the checking device,is then readout from the IC of the identificand to provide either a"correct" or "yes" signal or a "incorrect" or "no" signal. In the lattercase, an alarm is given. In the former case, if there is a "yes" or"correct" signal, a release signal is provided.

FIG. 7 is a block diagram illustrating a machine serving to storetransactions in the identificand, and FIG. 8 is a flow chart of theoperation of the machine of FIG. 7. The machine shown in FIG. 7includes, as a checking device, the reader 37 into which theidentificand 1 is to be inserted. Reader 37 provides identificand 1 withpower and sends data to and receives date from the identificand. Theprocessing unit PU 10, with the program memory 11, in identificand 1,controls the machine. Data input is entered on the built-in keyboard 38.

During the checking operation, messages and alarms can be transmittedoutside and, upon completion of the checking process, a "go" signal canbe transmitted to the operations part of the machine to effect thedesired transaction. Besides the transaction data stored in theidentificand, such storage is provided in the machine in data memory 39.This data storage device is either physically transported, at times, tothe host computer location and the information contained read out intothe host computer for further processing or, in "on-line" operations, isprocessed by a host computer.

In addition, the machine shown in FIG. 7 contains a checking device 40which ascertains whether or not there are connections to the outside ofthe reader or the machine from the area where the IC of the identificandis placed and by which the IC of the identificand is placed onlegitimate cards. The system is thus protected against criminals whomight try to substitute the essential functions of the IC in theidentificand with a simulation circuit composed of discrete componentsoutside the identificand. The identificand also can be confiscated bythe machine or otherwise.

Introduction of the identificand into a machine can be arranged in sucha manner that, after the identificand is inserted by a user, a flap orcover can be closed, either manually by the user or automatically. Theflap or cover is so designed that it can, through a locking action,interrupt or physically cut any possible connections to theidentificand. Furthermore, such a flap or cover, combined with a shieldsurrounding the reader part of the machine, protects the identificand,inserted in the machine, from any connections which do not depend onleads, such as electromagnetic or mechanical waves. This locking deviceis so designed that the machine can work only when the hinged flap orcover is tightly closed and stops when the flap or cover is open.

Further checking is then done in a manner similar to that employed forthe simplified checking devices or verifying means shown in FIGS. 4 and5, and wherein, the personal identification number or PIN is enteredinto the machine. The PIN is transmitted into the identificand and thenchecked internally for conformity.

The identificand transmits merely a conformity/nonconformity signal. Ifthe PIN has been entered incorrectly, it is indicated. The input can berepeated n times. In practice, usually three attempts are allowed. Afterthe nth input, an alarm signal is transmitted, the IC in theidentificand is electrically destroyed, and a record of the mistrials ismade in the identificand.

If the personal identification number or PIN has been entered correctly,the user identifying data, stored in the memories, will then betransmitted. Likewise, the use and transaction data will be read andstored in the machine. After this data is read from the identificand,the desired transaction can be entered into the machine. All of this isindicated in the flow chart of FIG. 8.

By means of the use and/or transaction data, it is verified whether thedesired transaction can be permitted. If the transaction is not allowedor permitted, then a signal will be given to this effect, and adifferent transaction information has to be entered into the machine. Ifthe transaction is permissible, the transaction data will then be storedin the identificand, in the machine and/or transmitted to the maincentral processing unit. Following this, a "go" signal is given by thechecking device of the machine and the transaction is processed.

In "off-line" operations, the data storage device is exhcanged at giventimes for empties, and the recorded information is fed into the hostcomputer for processing. As a result, the host computer maintains fileson the account of the identificand's owner so that, depending upon thecycles of data storage device exchange, the central office can keepup-to-date records.

It should be understood that the individual elements of the system ofthe invention, such as identificands, encoders, checking devices andmachines, can also be used in other systems. Consequently, thepatentable novelty of the present invention resides not only in theinvention system but also in the individual elements of the system bothper se or in combination.

While specific embodiments of the invention have been shown anddescribed in detail to illustrate the application of the principles ofthe invention, it will be understood that the invention may be embodiedotherwise without departing from such principles.

What is claimed is:
 1. In a system, secured against misuse andcounterfeiting, for effecting transactions, such as manual or mechanicaldelivery of commodities, services and money while using identificands,such as credit cards, check cards, cards for automatic machines, codedtokens, keys and the like, provided with identification data, processingdata, or both which are readable visually, by a machine, or both, andwhile using a personal identifying designation, such as a personalidentification number (PIN), for verifying the entitlement of the userof the identificand: the improvement comprising, in combination, anidentificand having inaccessibly and integrally incorporated thereinmemories for entry and storage of information therein, including apersonal identifying designation; at least the memory for entry andstorage of the personal identifying designation being chargeable onlyonce, and at least the contents of the memory for the personalidentifying designation being available only within the identificand;verifying means operable to receive said identificand and apply an inputthereto; components included in said identificand and activated,responsive to an input from said verifying means, to effect checking ofthe identity and entitlement of a user of said identificand; andinput-output means included in said identificand for establishingcommunication between said identificand and said verifying means; saididentificand including means preventing external access to said memoriesexcept through said input-output means when in communication with saidverifying means.
 2. In a system secured against misuse andcounterfeiting, the improvement claimed in claim 1, in which saididentificand comprises a processing unit controlling and actuating thestorage and processing operations.
 3. In a system secured against misuseand counterfeiting, the improvement claimed in claim 2, in which saidprocessing unit comprises a microprocesser controlling and actuating thestorage and processing operations.
 4. In a system secured against misuseand counterfeiting, the improvement claimed in claim 2, in which saidprocessing unit comprises an electronic control device in which theprograms are contained in hard-wired logic.
 5. In a system securedagainst misuse and counterfeiting, the improvement claimed in claim 2,including gates interposed between said processing unit and saidmemories capable of being automatically destroyed after the allocateddata have been entered into said memories for the first time.
 6. In asystem secured against misuse and counterfeiting, the improvementclaimed in claim 1, in which daid personal identifying designation is apersonal identification number which can be optional for the entitledowner of the identificand and which can be entered into the memory forentry and storage of the personal identifying designation; said memoriesincluding a memory for entry and storage of the identification data anda memory for entry and storage of the conditions of use of theidentificand.
 7. In a system secured against misuse and counterfeiting,the improvement claimed in claim 2, in which a protective code, in theform of a random number, is entered, during manufacture of theidentificand, into a first memory which is chargeable only once and isavailable only within the identificand, on the one hand, and also, onthe other hand, as a readable number into a concealed informationcarrier; the identificand and the concealed information carrier areseparately handled prior to delivery of the identificand to a user; theprotective code is read from the concealed information carrier andentered into the identificand wherein it is compared internally with thestored protective code for identity; and, responsive to a positiveresult of such comparison, a release signal is produced by theprocessing unit for further processing of the identificand; after whicha personal identifying designation, is entered into a second mamory ofthe identificand.
 8. In a system secured against misuse andcounterfeiting, the improvement claimed in claim 1, including a read-ingate and a read-out gate interposed between said first memory and saidprocessing unit, and capable of being automatically destroyed followingthe initial read-in operation and initial read-out operation,respectively.
 9. In a system secured against misuse and counterfeiting,the improvement claimed in claim 7, in which said identificand comprisesa plurality of sets of said memories for entry and storage ofinformation therein, including a personal identifying designation andsecuring data; said plurality of said sets of said memories beingconnected to said processing unit thereby making possible successivere-uses of said identificand by entering thereinto further protectivecodes and use information data.
 10. In a system secured against misuseand counterfeiting, the improvement claimed in claim 2, in which saidmemories are incorporated in a single integrated circuit with saidprocessing unit.
 11. In a system secured against misuse andcounterfeiting, the improvement claimed in claim 2, in which saidmemories are incorporated in respective integrated circuits additionalto an integrated circuit containing said processing unit.
 12. In asystem secured against misuse and counterfeiting, the improvementclaimed in claim 2, in which the geometric dimensions of the controlelectronics, including all the memories and said processing unit, have apredetermined maximum magnitude; said verifying means, upon insertion ofan identificand thereinto, checking whether, outside the admissible areadefined by these maximum geometric dimensions, there are connections fortransmitting signals into or out of said admissible area.
 13. In asystem secured against misuse and counterfeiting, the improvementclaimed in claim 12, in which, responsive to the presence of saidconnections, said verifying means releases a signal disabling saidcontrol electronics.
 14. In a system secured against misuse andcounterfeiting, the improvement claimed in claim 12, in which,responsive to the presence of said connections, said verifying meansreleases a signal interrupting further checking operation of saidverifying means.
 15. In a system secured against misuse andcounterfeiting, the improvement claimed in claim 1, in which saidverifying means is an automatic machine including a reader into whichthe identificand is introduced; and screening means interposed betweenthe identificand, in its inserted position, and the environment of saidreader, screening the identificand against conduction-independentconnections including electromagnetic and mechanical waves.
 16. In asystem secured against misuse and counterfeiting, the improvementclaimed in claim 1, in which said verifying means is an automaticmachine including a reader into which the identificand is inserted; anda mechanical closing device included in said machine and operable,responsive to insertion of an identificand into said reader, tointerrupt any connections leading from the identificand to the exterior.17. In a system secured against misuse and counterfeiting, theimprovement claimed in claim 1, including protective coatings protectingthe components within said identificand against external wave energy.18. In a system secured against misuse and counterfeiting, theimprovement claimed in claim 1, in which the components within saididentificand are destroyed responsive to opening of the identificand orpeeling of layers thereof.
 19. In a system secured against misuse andcounterfeiting, the improvement claimed in claim 1, in which, responsiveto non-observance of predetermined checking criteria during use of theidentificand, the components within said identificand are automaticallymade inoperable.
 20. In a system secured against misuse andcounterfeiting, the improvement claimed in claim 1, in which, uponnon-observance of checking criteria during use of the identificand, thecomponents within said identificand deliver a signal to said verifyingmeans.
 21. In a system secured against misuse and counterfeiting, theimprovement claimed in claim 20, in which said verifying means,responsive to the delivery of said signal thereto from saididentificand, prevents further functioning of the components within saididentificand.
 22. For use in a system secured against misuse andcounterfeiting, an identificand having inaccessibly and integrallyincorporated therein memories for entry and storage of informationtherein, including a personal identifying designation; at least thememory for entry and storage of the personal identifying designationbeing chargeable only once, and at least the contents of the memory forthe personal identifying designation being available only within theidentificand; components included in said identificand and activated,responsive to an input to said identificand, to effect checking of theidentity and entitlement of a user of said identificand; andinput-output means included in said identificand for establishingcommunication between said identificand and a verifying means; saididentificand including means preventing external access to said memoriesexcept through said input-output means when in communication with averifying means.
 23. An identificand, as claimed in claim 22, furthercomprising a processing unit controlling and actuating the storage andprocessing operations.
 24. An identificand, as claimed in claim 23,including gates interposed between said processing unit and saidmemories capable of being automatically destroyed after the allocateddata have been entered into said memories for the first time.
 25. Anidentificand, as claimed in claim 22, in which said personal identifyingdesignation is a personal identification number which can be optionalfor the entitled owner of the identificand and which can be entered intothe memory for entry and storage of the personal identifyingdesignation; said memories including a memory for entry and storage ofthe identification data and a memory for entry and storage of theconditions of use of the identificand.
 26. An identificand, as claimedin claim 23, in which a protective code, in the form of a random number,is entered, during manufacturing of the identificand, into a firstmemory which is chargeable only once and is available only within theidentificand, on the one hand, and also, on the other hand, as areadable number into a concealed information carrier; the identificandand the concealed information carrier are separately handled prior todelivery of the identificand to a user; the protective code is read fromthe concealed information carrier and entered into the identificandwherein it is compared internally with the stored protective code foridentity; and, responsive to a positive result of such comparison, arelease signal is produced by the processing unit for further processingof the identificand; after which a personal identifying designation isentered into a second memory of the identificand.
 27. An identificand,as claimed in claim 26, comprising a plurality of sets of said memoriesfor entry and storage of information therein, including a personalidentifying designation and securing data; said plurality of said setsof memories being connected to said processing unit thereby makingpossible successive reuses of said identificand by entering thereintofurther protective codes and use information data.